By Dameon Merilaht, Head of Sales, CSG Computer Services Ltd.
For many years, cyber security conversations with businesses started the same way: “we know it’s important, we do take it seriously.”
And I believe them. Most organisations do care about cyber security.
But in 2026, caring about cyber security is no longer the same as being cyber resilient, and the UK Government has made that distinction very clear.
Today, organisations are expected not just to talk about security, but to prove that effective cyber controls are in place, working and evidenced. That’s where Cyber Essentials has moved from being “nice to have” to becoming the baseline standard for UK businesses.
At CSG, we work with organisations every week to help them achieve Cyber Essentials certification and I can confidently say this:
Cyber Essentials has fundamentally changed, and so have expectations.
Cyber Essentials is not a tick‑box exercise
One of the biggest misconceptions I still encounter is that Cyber Essentials is just a form to complete once a year. That hasn’t been true for a long time, and it certainly isn’t true now.
The UK Government, via the National Cyber Security Centre [NCSC], is actively pushing Cyber Essentials across UK supply chains, public‑sector contracts and critical industries. As a result:
- Controls must actually work
- Risks must be actively managed
- Evidence must be readily available
When businesses fail Cyber Essentials assessments, it’s rarely because they “don’t care”. It’s because they’ve been relying on assumptions instead of evidence.
What I’ve learned helping customers achieve Cyber Essentials
After working with hundreds of organisations on Cyber Essentials readiness, a few patterns come up again and again. Businesses don’t usually fail because of complex cyber attack, they fail because of small gaps that have quietly built up over time.
Examples I regularly see:
- MFA enabled for some users, but not all
- Cloud services assumed to be “secure by default”
- Patch management done “when time allows”
- Remote workers unintentionally sitting outside the security perimeter
- Legacy software still running because “it hasn’t caused an issue yet”
Cyber Essentials now exposes those assumptions [and that’s a good thing!]
What Cyber Essentials requires in 2026
Cyber Essentials still focuses on five technical control areas, but the standard of proof has increased significantly. Below is my short but practical overview of what UK businesses must now have in place to achieve Cyber Essentials certification.
1. Firewalls and secure network boundaries
Businesses must demonstrate that:
- Boundary firewalls protect all internet‑facing connections
- Host‑based firewalls are enabled on laptops and endpoints
- Default credentials have been removed
- Only necessary ports and services are exposed
- Firewall rules are documented and actively managed
Remote and hybrid working devices are fully in scope and there are no exceptions now.
2. Secure configuration of systems
Every device and system must be securely configured:
- Default passwords removed
- Unnecessary software and services disabled
- Auto‑run features restricted
- Unsupported or end‑of‑life systems removed
This applies to:
- Servers and desktops
- Laptops used at home
- Cloud‑hosted systems
- Network devices and appliances
If software is unsupported, it cannot be in scope.
3. User access control [one of the biggest failure areas]
In 2026, access control is where many businesses come unstuck. Cyber Essentials now expects:
- Unique user accounts for every individual
- Separate admin and standard user accounts
- Least‑privilege access enforced
- Clear joiner / mover / leaver processes
- Multi‑Factor Authentication [MFA] wherever it is available
I cannot stress this enough: If MFA is available and not enabled, certification will fail. This includes Microsoft 365, email, VPNs and cloud admin portals.
4. Malware protection
Every in‑scope device must have:
- Active malware protection (such as Microsoft Defender)
- Automatic signature updates
- Protection that cannot be disabled by users
This covers:
- Laptops
- Desktops
- Servers
- Remote endpoints
Assumed protection is no longer accepted and assessors expect it to be validated.
5. Security update & patch management
This is another common failure point I see. Cyber Essentials requires:
- Operating systems and applications fully supported
- Security patches applied within 14 days
- Third‑party applications included in patching
- Evidence that updates are being applied consistently
Patching “when convenient” is no longer acceptable.
Cloud & remote working
One of the biggest changes in recent years is how seriously cloud services and remote working are now assessed. I regularly remind clients:
Moving to the cloud does not transfer responsibility.
For Cyber Essentials:
- Microsoft 365 is in scope
- Cloud configuration is your responsibility
- Admin access must be secured
- MFA must be enforced
- Remote users must meet the same standards as office‑based staff
Cyber Essentials has become more demanding, but it doesn’t have to be painful.
At CSG, our role isn’t just to help clients pass certification. It’s to help them build a level of cyber resilience they can stand behind with confidence. When we support organisations with Cyber Essentials, we focus on:
- Practical remediation, not box‑ticking
- Clear explanations, not jargon
- Reducing risk, not just passing an assessment
- Making sure controls stay in place after certification
Because cyber resilience isn’t something you review once a year – it’s something you live with every day.
Cyber Essentials is no longer about “meeting minimum standards”. It’s about:
- Trust
- Resilience
- Accountability
- Being able to demonstrate that you take cyber security seriously
In 2026, Cyber Essentials is the baseline, not the finish line. If you’re unsure whether your organisation would meet the standard today – that uncertainty is your signal to act. Book a call today to learn more.
